Re: snort setup

["Scot Scot" <scotw () hotmail com>]

Might look something like this:

                                             DMZ
                                                 |
                                                 |
                                             |TAP|-------Snort
                                                 |
                                                 |
Cisco Router ----| TAP|-----Firewall------|TAP|------------Switch
                                |                                     |
                                |                                     |
                            Snort                              Snort

You can then correlate your intrusion traffic between sensors. I would not
recommend using the mirroring port on a Switch, it can be very processor
intensive and you may not detect all fragmented packets.

Scot


<snip>
> where would you put the DMZ and firewall?
>
>
> Friday, July 12, 2002, 11:41:35 PM, you wrote:
>
> SS> If you put a HUB in you'll knock your traffic down to Half-Duplex
>
> SS> Perhaps you could throw in a TAP:
>
> SS> Cisco Router ----| Network
TAP|-----------------HUB------------------Switch
> SS>                                        |
> SS>                                        |
> SS>                                        |
> SS>                               Snort Sensor
>
> SS> Here's one company (of many) off the top of my head:
>
> SS> www.netoptics.com
>
> SS> Scot
>
> SS> ----- Original Message -----
> SS> From: "Tom Sevy" <tsevy () epx com>
> SS> To: "user snort" <snort-users () lists sourceforge net>
> SS> Sent: Friday, July 12, 2002 9:30 AM
> SS> Subject: RE: [Snort-users] snort setup
>
>
> > > I would recommend instead that you put a decent hub in rather than put
the
> > > snort box inline.  What happens when you have to reboot the snort
server
> > > box?  You (& your users & your web visitors) will lose the internet
> > > connection.
> > >
> > > So go with:
> > >
> > > Cisco Router ---------------------HUB------------------Switch
> > >                                    |
> > >                                    |
> > >                                    |
> > >                               Snort Sensor
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Alwin Raymundo [mailto:alrayworld () yahoo com]
> > > Sent: Friday, July 12, 2002 7:36 AM
> > > To: user snort
> > > Subject: [Snort-users] snort setup
> > >
> > >
> > > Hi all,
> > >
> > > Here is my another naive question.  I want to put my
> > > snort box in front of my switch because my swith is
> > > not capable of port mirroring.
> > >
> > > internet -> cisco router -> snort box -> switch ->
> > > servers
> > >
> > > My future setup on snort box (redhat 7.3, snort -mysql
> > > and 2 nic cards).
> > >
> > > here now the question about the 2 nic what should I
> > > used ip address to these 2 nic cards, should it be 2
> > > public ip address? or 1 public IP address and 1
> > > network address.
> > >
> > > any help would be highly appreciated.
> > >
> > > Thanks in advance, brother in snort.
> > >
> > >
> > > =====
> > > Alwin Raymundo
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Sign up for SBC Yahoo! Dial - First Month Free
> > > http://sbc.yahoo.com
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Gadgets, caffeine, t-shirts, fun stuff.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Gadgets, caffeine, t-shirts, fun stuff.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> SS> -------------------------------------------------------
> SS> This sf.net email is sponsored by:ThinkGeek
> SS> Gadgets, caffeine, t-shirts, fun stuff.
> SS> http://thinkgeek.com/sf
> SS> _______________________________________________
> SS> Snort-users mailing list
> SS> Snort-users () lists sourceforge net
> SS> Go to this URL to change user options or unsubscribe:
> SS> https://lists.sourceforge.net/lists/listinfo/snort-users
> SS> Snort-users list archive:
> SS> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Best regards,
>  Darren                            mailto:darren () horseplay demon co uk


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users